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Patent Claims: 

1. A method for the prevention of erroneous actuator access 
in a multifunctional general electronic control system 
wherein the actuator access requirements emanate from 
various or different system services (1), 
characterized in that a rights management 
(2) which determines the authorization of the system 
service (1) for changing the instantaneous mode of 
operation of the general control system in the event of an 
actuator access requirement, a mode of operation control 
unit (4), and an access management (6) are integrated into 
the system, in that the rights management (2) in the event 
of an access requirement by a system service (1), brings 
about an adjustment or a change of the mode of operation 
according to predefined rules in consideration of the 
instantaneous general mode of operation of the general 
control system and reports the current mode of operation 
to the access management (6), and in that the access 
management (6), depending on the reported general mode of 
operation, allows an actuator actuation only by the 

x authorized' system service (1) and processes the actuator 
access requirements of the system services (1) according 
to predefined arbitration rules. 

2. The method as claimed in claim 1, 
characterized in that the actuator access 
requirements of the system services (1) are recorded in a 
memory (5) and passed on to the access management (6) 
sorted according to types of arbitration. 
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The method as claimed in claim 1 or 2, 

characterized in that the actuator access 
requirement originating from a system service (1) and 
admitted to pass to an actuator (7) is determined by a 
two-stage arbitration, i.e. by a 'vertical' and a 
'horizontal' arbitration. 

The method as claimed in any one or more of claims 1 to 3 
characterized in that in the access 
management (6), the unauthorized access requirements are 
determined, eliminated or rejected in a first step 
depending on the reported, current general mode of 
operation, in that in a second step, vertical arbitration 
is used to evaluate and select the authorized access 
requirements according to a predefined order of priority 
of the types of arbitration, and higher priority is given 
to a 'current signal' rather than to a 'pressure signal' , 
while higher priority is attributed to an 'ON/ OFF signal' 
rather than to a 'current signal', and in that in a third 
step, horizontal arbitration is used to evaluate and 
select the access requirements determined in the second 
step according to the priority of the signal for driving 
the actuator (7) . 

The method as claimed in any one or more of claims 1 to 4 
characterized in that the rights of the 
system services (1) for the change of the mode of 
operation are written down in a read-only memory (3) to 
which the rights management (2) has access. 



) 



6. The method as claimed in any one or more of claims 1 to 5, 
characterized in that in a general control 
system for motor vehicles which, as a base system, 
comprises a brake system (EHB, EMB) , as system services 
(1) emanating from which are the actuator access 
requirements, the basic brake functions (BBF) , wheel slip 
control functions (such as ABS, TCS, ESP) , diagnosis 
functions (DIAG) , motor pump control systems (MPA) and 
interfaces (BUS) are determined and checked by the rights 
management (2) in connection with the access management 
(5) . 

7. The method as claimed in any one or more of claims 1 to 6, 
characterized in that further system 
services (1) such as ^customer software' (CSW) , ^steering 
functions' (steer), etc., are integrated into the general 
system. 

8. The method as claimed in any one or more of claims 1 to 7, 
characterized in that in a general control 
system for motor vehicles, a distinction is made in the 
mode of operation control unit (3) at least between the 
modes of operation ^normal operation' which occurs after 
termination of the starting phase in the absence of an 
error message, the mode of operation ^starting phase' 
which applies e.g. until expiry of a predetermined period 
of time, until a minimum speed is reached for the first 
time, and/or until initial testing routines are completed, 
the mode of operation ^diagnosis' , the mode of operation 
^customer software' which is initiated in the case of an 
actuator access requirement by an extraneous or auxiliary 
system, and the mode of operation ^failsafe' indicating 
the presence of an error message. 



